How to pass Sp entityId from Idp to Shibboleth Sp?

Peter Schober peter.schober at
Tue Dec 15 03:55:55 EST 2015

* Abdul Waheed <waheedtechblog at> [2015-12-14 18:48]:
> I have deployed one application which is protected by Shib and after
> authentication I am passing uid as Shib header to my application,I am
> passing uid as assertion from IdP and mapping it in attibute_map.xml file
> at SP side.
> So now my requirement is to pass Shib entityId,Idp entityId along with uid.
> So I need all these three paramenters in my application so that I can
> perform some operation.

I wonder if you need entityID because uid is only unique within the
asserting party (i.e., the IDP)? If so that's a very comon scenarion
and the reason why people don't use uid in federated use-cases at all.

Instead just use an identifier that's defined to be globally unique,
such as eduPersonPrincipalName (which many IDPs create dynamically
from uid + @ + their canonical DNS domain; see the eduPerson spec for
more: ).

Or use SAML2 persistent NameIDs.
(Those already contain the entityID of the asserting IDP and of the
recieving SP, as well as some opaque part identifying the subject.)

Or use email addresses.

Or eduPersonUniqueId, as per

All of thse are defined to be globally unique, without requiring to
tie them to the issuer / asserting IDP.

More information about the users mailing list